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1 Executive Summary 


1.1 Background 

As part of the 2016-17 Internal Audit Plan, we have agreed with 
management and the Audit Committee to undertake a review to provide 
assutance over the People Strategy that is currently being put in place. 


The Information Commissioner’s Office (ICO) is facing a period of 
significant change and uncertainty. The decision to leave the European 
Union has introduced uncertainty both to the economy and political 
landscape as well as to decisions on the legislation which will be 
implemented to meet the requirements of the General Data Protection 
Regulation (GDPR) which will come into effect in May 2018 but it is not 
clear how the UK will amend data protection law and therefore the impact 
that will have on the UK’s data protection regulator, the ICO. One of the 
uncertainties relates to the ICO operations to provide ongoing support to 
enforce UK data protection law and the people (both numbers and skills) 
required to deliver those operational services. 


The People Strategy sets out the ICO’s objectives and plans to attract the 
right people to the organisation, retain people and ensure staff welfare 
makes the ICO a place people want to work. This review has considered 
what the ICO is planning, and identifies what controls are to be introduced 
or changed to provide assurance that the related risks to the organisational 
growth will be effectively managed. 
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1.2 Scope 
Our review involved a high-level assessment of the following risks: 


Leadership 

e The ICO has not defined the future demand for its services and 
therefore cannot set the requirements for the skills and staff resources 
required (for example the impact of GDPR). 

e The strategy has insufficient planning flexibility, leaving the ICO 
unable to meet future demands that could be placed on the UK data 
protection regulator. 

e The People Strategy does not set out the organisational changes that 
may be needed to manage significantly more staff. 

e There is no clear roadmap or action plan of how to execute the 
strategy. 


Communications 

e Staff communication/engagement at the ICO is poor leading to staff 
performance that does not meet requirements, high turnover of staff 
or staff becoming disengaged leading to disruption of core operations. 

e ICO management team is not able to engage with staff and motivate 
them to meet the organisation’s objectives. 

e There are no measures of success in place that allow the ICO 
management team to establish the extent to which the People Strategy 
is being delivered. 
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Staff recruitment, retention, development and deployment 

e The ICO is not able to recruit the skills or the quantity of resources 
required to meet is regulatory obligations. 

e The ICO loses key staff as the demand for experienced data protection 
officers increases and the ICO is not able to match employment terms 
and conditions on offer elsewhere in the market. 

e Staff management practices fail to ensure staff performance is 
managed appropriately, or are unable to cope with significant increases 
in staff numbers. 

e Staff are not provided with appropriate development and training 
opportunities, leading to skills gaps and/or loss of morale. 

e ICO cannot meet the demand for its services, taking into account 
limited resources such as the number of people and the limitation of 
current accommodation. 

e Deployment of staff resources is inefficient or ineffective, leading to 
ICO functions not having appropriate staff (either in quality/skills or 
quantity) or staff who are under-utilised. 


Further details on responsibilities, approach and scope are included in 
Appendix A. 


1.3 Overall assessment 
We have made an overall assessment of our findings as: 
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1.4 Key findings 


Risk / Process 


Defining the future demand for 
services 


Measuring Success - 


Recruiting sufficiently skilled staff - 1 - - 


Market rate equivalence - - 1 - 


Total - 2 2 - 


Overall assessment 


Following agreement of the nature and significance of individual issues 
with management, in our view this report contains matters which require 
the attention of management to resolve and report on progress in line 
with current follow up processes. 


Please refer to Appendix B for further information regarding our overall 
assessment and audit finding ratings. 
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The following findings were assessed as Medium: 


e Although detailed budgets were not available from Her Majesty’s 
Treasury (HMT) or the Department for Culture, Media and Sport 
(DCMS), Organisational Development has not completed as detailed 
a delivery plan as we would expect at this stage. The plan should take 
into account and set out the preparations for the structural changes 
required to deliver future GDPR requirements and meet increased 
demand from both the general public and external organisations for 
ICO services. The plan should make provision for a limited set of 
scenarios, no more than three, in order to establish resources 
required, timescales for delivery, internal resourcing estimates, 
recruitment strategies (and likely timescales to meet recruitment 
demand), potential management structures, accommodation 
requirements / amendments, agile working and additional measures 
to ensure staff retention continues to meet ICO requirements going 
forward. 

Note: Budgets are expected to be available by the end of 2016. 

e The ICO has developed a recruitment strategy that recognises that 
there are challenges in being able to recruit skilled individuals in the 
current economic environment and details at a high level a number of 
areas where the ICO should develop. It has not though completed 
detailed planning to develop the most efficient and effective model to 
recruit potentially large numbers of quality staff in a timely manner to 
meet developing business needs. Contingency plans to recruit and 
train generalist staff, should subject experts not be available, need to 
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be put in place. The announcement that the government will 
recommend that GDPR will be fully implemented has not yet 
translated into pressure in the recruitment market for data protection 
experts. However, we would expect that the ICO to complete this 
work as soon as possible to manage the risk that recruitment in this 
area will become more difficult as GPPR implementation approaches. 


1.5 Basis of preparation 
We identified the following controls in place during our audit: 


e The ICO has published a People Strategy that sets out a clear single 
vision, to make the ICO a ‘Great place to work and develop’. This 
vision is underpinned by six aims; ‘Recruit the best people’; ‘Involve 
and empower our people’; ‘Develop people to deliver first class 
services’; ‘Lead our people and achieve high performance’; ‘Recognise 
and reward people’ and ‘Support and care about our people’. 

e = Supporting the People Strategy, Organisational Development has 
developed a Recruitment Strategy that sets out the overall strategy for 
filling vacant posts identified in the business by making the most 
effective use of development and promotion opportunities for 
existing staff, and the recruitment and selection of new staff. 

e Corporate Affairs have developed a communications strategy to 
support the people strategy and provide assurance that senior 
management (led by the Information Commissioner) communicate 
regularly and effectively with staff. 

e The ICO completes an annual staff survey (the last was run in April 
2016) to judge the success of strategic plans such as the People 
Strategy, Transformation projects, Training and Development. 
Results from this survey have fed into the People Strategy 2016-17 
and have driven the development of the Strategy Communication 
plan by Corporate Affairs. 

e The ICO has an embedded performance reporting and staff 
development processes in place. Line managers are responsible for 
assessing individual staff performance through in-year reviews, annual 
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appraisal reviews and informal monitoring (i.e. through day-to-day 
interaction, communication and feedback). 


1.6 Acknowledgement 
We would like to take this opportunity to thank the staff involved for their 
co-operation during this internal audit. 
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2 Detailed Findings 
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a | Medium | Defining the future demand for services 


and staff resources required (for example the impact of GDPR). 


Risk: Leadership - The ICO has not defined the future demand for its services and therefore cannot set the requirements for the skills 


Finding and Implication 


To define the future demand for services, the Department for Culture, 
Media and Sport (DCMS) has been working on developing a capacity 
impact analysis in relation to GDPR implementation. This forecast is 
however still in draft, with both impact, resourcing and budgetary 
discussions are ongoing between DCMS and Her Majesty’s Treasury 
(HMT). Whilst awaiting the completion of this work, internal forecasts 
based upon the development of business structures to support Data 
Protection and Privacy and Electronic Communication legislation within 
the ICO in the past was used. As a result, the ICO has been working on 
an informal internal estimate of an increase in the region of 100 staff in 
areas such as Human Resources, Policy Development, Enforcement 
and Business Improvement. Actions to deliver this increase in staff and 
the organisational changes required to support a larger ICO are detailed 
in the People Strategy 2016-17 and the Recruitment Strategy 2016-19 
and are being implemented through the ‘People’ strand of the ICO 
Change Programme. 


To support delivery of the ‘People’ strand, Organisational Development 
has not completed detailed planning that clearly sets out the timetable 
and any dependencies on recruitment activities that covers: 

e A draft budget and recruitment delivery scenario (or budgets and 
scenarios if required) based upon the ICO's knowledge of GDPR 
requirements and the expected impact on internal resourcing 
estimates; 

e Proposed management structures within business areas that will be 


Proposed Action 


Pending confirmation of final budgets or staffing increases from the 
DCMS, using the ICO’s own internal forecast, Organisational 
Development should develop: 

e Model operating structures for each area that will require increased 
capacity, taking into account: 

e Operational delivery requirements; 

e Accommodation capacity; and 

e The maximum number of staff that can be effectively managed 
by reporting managers. 

e A formal delivery project plan, including resource requirements and 
lead times for each delivery stage for the model structure that 
includes: 

e A plan and delivery date for the completion of the recruitment 
process review and implementation of the updated processes; 

e Recruitment lead times, induction and training (including the 
availability of induction and training resources); 

e Plans for effective accommodation and utilisation of new and 
existing staff (including the effective management of shift 
patterns or agile working). 
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T Defining the future demand for services 


most affected by staff increases, providing detail such as structural 
organograms and maximum numbers of team members that can be 
effectively allocated to a reporting manager in a functional area; 

e Plans for induction and training (which include the availability of 
training rooms and training resources) for increased cohort intakes; 

e Accommodation of increased numbers of staff and effective staff 
utilisation through effective management of shift patterns or agile 
working; 

e A clear project plan or roadmap for delivery, listing each action that 
is to be delivered, resource and timescales required for delivery and 
assignment of a delivery owner. 
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Without detailed plans and a timetable that support increased staffing 
requirements, there is a risk that the ICO will not be able recruit, train or 
manage sufficient resources to deliver the increased capability required 
by legislative change and increases in general demand for services. 


Management Response (Date | Ownership) 


Directorate structures are being finalised in liaison with the Commissioner and recruitment to Senior Leadership Team positions are currently live. Appointment to 
these positions is scheduled to be completed in March 2017. In addition, a post for a General Legal Counsel is being established. An appointment to this position 
is expected to take place in April or May after the post has been graded. The overall structure of the SLT will then be in place. 


An exercise to assess the usage of accommodation is being procured. This will feed into an agile working project which will be delivered in partnership between 
OD, IT and Business Development. This work will be scheduled for February/March 2017. 


The OD team will add to its capacity with dedicated project staff to plan and implement a review of HR processes. This will include the procurement and 
implementation of an Applicant Tracking System which has been agreed with Business Development. This will take place during the 2017/18 business year. 


Date Effective: November 2017 Owner: Michael Collins 
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Measuring Success 


2. Low 


Risk: Communications - There are no measures of success in place that allow ICO management to establish the extent to which the 


People Strategy is being delivered. 


Finding and Implication 


Proposed Action 


Organisational Development produce a presentation for the Senior 
Leadership Team that reports on: 

e Current headcount and staff distribution; 

Staff equality and diversity; 

Staff turnover, starters and leavers; 

Sick absence rates; 

Training (Learning and Development) undertaken; and 
Actions completed in supporting the business and delivering 
services. 


Review of this reporting noted that, of the thirty outcomes documented 
by the People Strategy 2016-19 that are a result of the delivery actions 
being achieved, there are no measures of success and there is no 
reporting to SLT or management on the achievement of four that are 
directly related to recruitment. In addition, the case of diversity reporting 
is only partially complete. 


In not effectively measuring or reporting on the actions under way to 
deliver increased capability, there is a risk that implementation may not 
be successful or actions may not deliver the outcomes expected by 
senior management. 


As part of the overall ICO Change Programme reporting, 
Organisational Development should agree measures of Success and 
include the status of each planned ‘People’ deliverable or action, 
paying particular attention to those actions that are not currently on 
track. In cases where delivery has slipped, the impact (including the 
effect on dependant actions) should be reported and the action owner 
should develop a mitigation plan to address the slippage. 


Management Response (Date | Ownership) 


Reports to the Management Board and new Resources Steering Group will be formatted to report progress on each strand of the People Strategy. This will include 


more expansive diversity reporting to include analysis of recruitment exercises. 


Actions and achievements in relation to the People Strategy are already reported to Change Board on a monthly basis. 


Date Effective: Management Board 08/05/17 Owner: 


Michael Collins 
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a. | Medium | Effective recruitment processes 


required to meet is regulatory obligations. 


Risk: Recruitment, retention, development and deployment - The ICO is not able to recruit the skills or the quantity of resources 


Finding and Implication 


Proposed Action 


The ICO recognises the challenges in being able to recruit skilled 
individuals in the current economic environment. To manage this 
challenge, Organisational Development has devised a Recruitment 
Strategy which will run until 2019 that considers at a high-level: 


e Key areas for recruitment; 


e Potential routes to market that can be utilised to identify 
candidates; 


e information to be included in role advertising; 


e The need to review recruitment and selection processes and 
applicant tracking. 


As already noted, the ICO has not yet formally completed detailed 
scenario planning to develop the most effective model to recruit 
potentially large numbers of additional staff. In addition, whilst set out at 
a high-level, beyond the identification of a variety of routes to market, 
there is no detailed strategy to satisfy the need to attract high quality 
candidates or to report on (and respond to) issues such as insufficient or 
low quality applications being received. There are also no contingency 
plans in place to train existing staff or recruit and train personnel with 
generalist skills should suitable experts not be available in the 
marketplace. 


Whilst the government announcement that GDPR will be fully 
implemented has not yet translated into pressure in the recruitment 
market for data protection experts, there is a risk that, in not having 
effective recruitment process in place, the ICO will find recruiting high 
quality staff in a timely manner more difficult in the future. 


As part of the initial stage of the ‘People’ project change plan, 
Organisational Development should complete their review of 
recruitment processes and identify models that could be used to recruit 
a variety of roles and numbers of staff as soon as possible. 
Consideration should be made to use assessment centres, look to 
alternative partners to head hunt candidates and explore connections 
with other public sector bodies on recruitment strategies). Processes 
should also be developed to train and upskill generalist staff should 
subject matter experts not be available in sufficient numbers. 
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3: Effective recruitment processes 


Management Response (Date | Ownership) 


OD will appoint dedicated project staff in February/March 2017. One of their key projects will be to review recruitment processes to ensure the methods used are 
efficient and cost effective. The ICO will purchase an Applicant Tracking System to be implemented in the 2017/18 business year. Work is expected to start on Q1 
for implementation in Q2 (ie by October 2017) 


The ICO has already awarded a contract for a retained Executive Search supplier to support recruitment to senior positions, which includes ‘head hunting’ 
services, which became live in December 2016. 


Date Effective: 31/10/17 Owner: Michael Collins 
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4. | Low Staff retention 


Risk: Recruitment, retention, development and deployment - The ICO loses key staff as the demand for experienced data protection 
officers increases and the ICO is not able to match employment terms and conditions on offer elsewhere in the market. 


Finding and Implication 


Proposed Action 


The staff survey shows that the majority of ICO staff find their work 
interesting (84% positive), feel that the organisation respects and values 
individual differences (71% positive), feel committed to ICO goals (76% 
positive) and they are able to strike the right balance between my work 
and home life (83% positive). However, staff have issues with reward 
and effective leadership, with 71% of staff feeling that their pay is not fair 
in comparison to other organisations, and 71% of staff stating that the 
Senior Management Team does not provide effective leadership. 
Although Organisational Development have developed and 
implemented a reward process to recognise excellent work, the 
department is constrained by civil service pay caps. To aid retention 
management has therefore chosen to concentrate on staff development, 
involving and empowering staff and ensuring roles are interesting and 
rewarding. 


Review of the People Strategy confirmed that, in response to the staff 
survey, it contains plans to enhance staff development and provide staff 
with more responsibility. However, actions do not have a specific owner 
or delivery date, and their implementation has not been integrated into 
an overall project plan (or similar document); it is therefore difficult to 
identify if there are any resource constraints on those delivering the 
plan, or even whether delivery is possible in the timescales required. 


Without a plan in place that identifies the detailed actions required to 
enhance roles within the ICO, the resource and timescales required to 
complete this work and reporting on achievement, there is a risk that the 
ICO may not deliver the required change, increase staff satisfaction and 
be able to manage staff retention levels effectively. 


To address issues of staff retention or the inability to recruit new staff, 
as part of the initial stages of the ‘People’ project change plan 
Organisational Development should include work packages running in 
parallel to the review of recruitment processes, with the aims of 
enhancing staff development and improving the overall quality of ICO 
job roles. In addition, in order to monitor progress, delivery owners and 
delivery resources with start and end dates need to be identified and 
agreed. 
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4. | Staff retention 


Management Response (Date | Ownership) 


Turnover rates remain low at the ICO at around 8%. We will continue to provide development opportunities for staff as part of our planned growth, which has seen 
150 promotions in the last two years. 


Training and development opportunities will be available for staff, with work underway for qualifications in Customer Service and Complaint Handling. These 
projects are being developed between L&D and the relevant business areas. 


We have also provided, and will continue to provide, training for specialists in IT. The provision of extensive training will help to retain people but also produces a 
risk that staff are better equipped to move on from the ICO. This is a risk that has been acknowledged and accepted, providing that staff perform effectively whilst 
benefitting from the learning experience whilst at the ICO. 

The potential to address salary rates across the board will be explored, though the pay cap will place restrictions on our capacity to achieve this. In tandem we will 
consider our capacity to recruit to specialist and technical roles providing the required skills set. 


Date Effective: We will agree a plan detailing the specific work we intend to do in the area of staff retention by [date to be confirmed]. 


Owner: Michael Collins 
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A Internal audit approach 


Approach 

Our role as internal auditor to a Public Body is to provide an independent 
and objective opinion to the Accounting Officer on risk management, 
control and governance processes, by measuring and evaluating their 
effectiveness in achieving the organisation's agreed strategic objectives. 


Our audit was carried out in accordance with the guidance contained 
within the Government’s Internal Audit Standards (2013) and the Auditing 
Practices Board’s “Guidance for Internal Auditors’. We also had regard to 
the Institute of Internal Auditors’ guidance on risk based internal auditing 
(2005). In addition, we comply in all material respects with other 
Government guidance applicable to Public Bodies and have had regard to 
the HM Treasury guidelines on effective tisk management (the ‘Orange 
Book’). 


As part of the 2016-17 Internal Audit Plan, we agreed with the Audit 
Committee and management to undertake a review to provide assurance 
over the People Strategy that is currently being put in place. 


Our aim in completing this audit was to ensure that the ICO has 
approptiate arrangements in place to identify, manage and report on risk. 
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We achieved our audit objectives by: 


e Meeting with the individuals responsible for the design and delivery of 
the People Strategy and its associated policies to identify the control 
structure in place; 

e Seeking evidence to confirm the operation of understood controls; 

e Reviewing the actions completed to date to deliver the strategy and 
recruitment objectives to evaluate delivery to date. 


Findings and conclusions from this review will support our annual opinion 
to the Audit Committee on the adequacy and effectiveness of internal 
control arrangements. 


Responsibilities 

The Information Commissioner acts through her Board of Management 
and the Information Commissioner's Office ("ICO") discharges her 
obligations, therefore references to the Information Commissioner and the 
ICO in this report relate to one and the same party. 


It is the responsibility of the Information Commissioner to ensure that the 
ICO has adequate and effective risk management, control and governance 
processes. 


HM Treasury's Corporate Governance in Central Government 
Departments (2011) states that boards of Public Bodies should determine 
the nature and extent of the significant risks it is willing to take in 
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achieving its strategic objectives. The Board should therefore maintain 
sound risk management and internal control systems and should establish 
formal and transparent arrangements for considering how they should 
apply the corporate reporting and risk management and internal control 
principles and for maintaining an appropriate relationship with the 
organisation's auditors. 


Please refer to our letter of engagement for full details of responsibilities 
and other terms and conditions. 


Scope 
Our review involved an assessment of the following risks: 


Leadership 

e ICO has not defined the future demand for its services and therefore 
cannot set the requirements for the skills and staff resources required 
(for example the impact of GDPR) 

e The strategy has insufficient planning flexibility, leaving the ICO 
unable to quickly put into action its plans to respond to the future 
requirements placed on the UK data protection regulator 

e The People Strategy does not set out the organisational changes that 
may be needed, to manage potentially significantly more staff 

e There is no clear roadmap or action plan of how to execute the 
strategy. 


Communications 

e Staff communication/engagement at the ICO is poor leading to 
performance that does not meet requirements, or results in high 
turnover of staff, disrupting core operations 

e ICO management team is not able to engage with staff and motivate 
them to meet the organisation’s objectives 
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e There are no measures of success in place that allow the ICO 
management team to establish the extent to which the People Strategy 
is being delivered 

e Staff recruitment, retention, development and deployment 

e The ICO is not able to recruit the skills or the quantity of resources 
required to meet is regulatory obligations 

e The ICO loses key staff as the demand for experienced data protection 
officers increases and the ICO is not able to match employment terms 
and conditions on offer elsewhere in the market 

e Staff management practices fail to ensure staff performance is 
managed appropriately, or are unable to cope with significant increases 
in staff numbers 

e Staff are not provided with appropriate development and training 
opportunities, leading to skills gaps and/or loss of morale 
ICO cannot meet the demand for its services, taking into account that 
there are physical building constraints 

e Deployment of staff resources is inefficient or ineffective, leading to 
ICO functions not having appropriate staff (either in quality/skills or 
quantity) or too many that remain under-utilised 


Additional Information 


Client staff 
The following staff were consulted as part of this review: 


e = Mike Collins — Head of Organisational Development; 


e Robert Parker — Head of Corporate Affairs 
e Rachael Cragg — Group Manager — Change Programme 
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Documents received 
The following documents were received during the course of this audit: 


e People Strategy 2016-17 

e Recruitment Strategy 2016-19 

e Communication Objectives for the People Strategy 

e Information Commissioner communication to staff (November 2016) 

e Organisational Development reporting — January 2016, April 2016, 
July 2016, October 2016 

e Pay Benchmarking data 

e Homeworking policy (December 2014) 

e Staff Survey results 2016 


Locations 
We visited The Information Commissioner's Office, Wilmslow for this 
review. 
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B Overall assessment and audit issues rating 


Overall assessment 


Rating Description 


Following agreement of the nature and significance of individual issues with management, in our view this report contains matters which should be 
raised with Senior Management and the Audit Committee at the earliest opportunity. 


Following agreement of the nature and significance of individual issues with management, in our view this report contains matters which require the 
attention of management to resolve and report on progress in line with current follow up processes. 


We have identified matters which, if resolved, will help management fulfil their responsibility to maintain a robust system of internal control. 


Audit issue rating 
Within each report, every audit issue is given a rating. This is summarised in the table below. 


Description Features 


Key control not designed or operating effectively 

Potential for fraud identified 

Non compliance with key procedures / standards 

Non compliance with regulation 

e Impact is contained within the department and compensating 
controls would detect errors 

e Possibility for fraud exists 

e Control failures identified but not in key controls 

e Non compliance with procedures / standards (but not resulting in key 

control failure) 

Minor control weakness 

Minor non compliance with procedures / standards 

Information for department management 

Control operating but not necessarily in accordance with best 

practice 


Findings that are fundamental to the management of risk in the business 
area, representing a weakness in control that requires the immediate 
attention of management 


Important findings that are to be resolved by line management. 


Findings that identify non-compliance with established procedures. 


Items requiring no action but which may be of interest to management or 
best practice advice 
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